Following the discontinuation of Starboard, this App has been deprecated in favor of Trivy Operator. Please update any active installations of starboard-app to the newer trivy-operator-app.
Giant Swarm offers an app for Aqua Security's Starboard, which can be installed in workload clusters. It is part of our managed security solution, but can also be installed independently.
Starboard is an in-cluster component which runs vulnerability scans of running workloads using Trivy, Kubernetes CIS benchmark reports using kube-bench, and configuration audits using Polaris. The results of these scans are saved in the cluster in the form of Kubernetes custom resources named VulnerabilityReport, CISKubeBenchReport, and ConfigAuditReport, respectively. It can also be configured to run more intrusive vulnerability scans using kube-hunter.
Results of each scan type can be retrieved from the cluster, for example using kubectl:
$ kubectl get vulnerabilityreports
NAMESPACE NAME REPOSITORY TAG SCANNER AGE
...You can also export the data from these reports to Prometheus to use in alerts and Grafana dashboards using our starboard-exporter.
This repository contains our packaging and Giant Swarm-specific configuration of the upstream charts.
There are several ways to install this app onto a workload cluster.
- Using our web interface
- By creating an App resource in the management cluster as explained in Getting started with App Platform.
To perform vulnerability scans and produce VulnerabilityReport CRs, Starboard needs a vulnerability scanner.
We recommend first installing our Trivy app in your cluster to serve as the vulnerability scanner for Starboard, or using another existing Trivy instance.
Alternatively, you can configure Starboard to use Standalone mode, which creates an instance of the Trivy scanner per-scan. This is very inefficient and can lead to throttling by the backing vulnerability database. To do so, set trivy.mode to Standalone in values.yaml.
In either case, please note that the Trivy version set by trivy.imageRef must be the same version as your Trivy backend (even if the actual image is not the same), as Starboard uses that value internally to determine the API format to use for Trivy.
This repository contains two git subtrees tracking the upstream charts for Starboard:
- the local
helm/starboard-app/charts/starboard-operatorpath tracks thedeploy/helmpath upstream - the local
helm/starboard-app/charts/starboard-operator/crdspath tracks thedeploy/crdpath upstream
To update the subtrees with new upstream changes:
# Add the remote if you haven't already
git remote add upstream https://github.com/giantswarm/starboard-upstream
git checkout upstream/main
git subtree split -P deploy/helm -b temp-split-helm
# Next two steps only if you don't already have a branch for review
git checkout main
git checkout -b update
# Update the subtree
git subtree merge --squash -P helm/starboard-app/charts/starboard-operator temp-split-helm
# Commit and push your changes
# VERY IMPORTANT: When merging a PR including a subtree, do not squash the commits!
# Squashing will destroy the tracking information for the subtree. If that happens, see scripts/subtree-update.sh.